From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 3.0

This guide describes the inclusion of Ubuntu into an UCS 3 domain. This configuration has been tested with Ubuntu 12.04 LTS and Kubuntu 12.04 LTS.

LDAP and SSL configuration

After Ubuntu has been installed, the default basis configuration must be done. For an easy use, the default configuration of the UCS Master should be copied to the Ubuntu system, for example:

export MASTER_IP=

mkdir /etc/univention
ssh ${MASTER_IP} ucr shell | grep -v ^hostname= >/etc/univention/ucr_master
echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master
. /etc/univention/ucr_master

echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts

The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client needs an account in the UCS 3 domain to get read access to the LDAP directory.

# Set some environment variables
. /etc/univention/ucr_master

# Download the SSL certificate
mkdir -p /etc/univention/ssl/ucsCA/
wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt

# Create an account and save the password
password="$(< /dev/urandom tr -dc A-Za-z0-9_ | head -c8)"
ssh root@${ldap_master} udm computers/managedclient create --position cn=computers,${ldap_base} \
                        --set name=$(hostname) --set password="${password}"
echo "${password}" > /etc/ldap.secret

# Install SSSD based configuration
DEBIAN_FRONTEND=noninteractive apt-get install sssd

# Create ldap.conf
cat >/etc/ldap/ldap.conf <<__EOF__
TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
URI ldap://$ldap_master:7389
BASE $ldap_base

# Create sssd.conf
cat >/etc/sssd/sssd.conf <<__EOF__
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo
domains = $kerberos_realm

reconnection_retries = 3

reconnection_retries = 3

auth_provider = krb5
krb5_kdcip = ${master_ip}
krb5_realm = ${kerberos_realm}
krb5_server = ${ldap_master}
krb5_kpasswd = ${ldap_master}
id_provider = ldap
ldap_uri = ldap://${ldap_master}:7389
ldap_search_base = ${ldap_base}
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base}
ldap_default_authtok_type = password
ldap_default_authtok = $(cat /etc/ldap.secret)
chmod 600 /etc/sssd/sssd.conf

# Install auth-client-config
DEBIAN_FRONTEND=noninteractive apt-get install auth-client-config

# Create an auth config profile for sssd
cat > /etc/auth-client-config/profile.d/sss <<__EOF__
nss_passwd=     passwd:         compat sss
nss_group=      group:          compat sss
nss_shadow=     shadow:         compat
nss_netgroup=   netgroup:       nis

pam_auth=       auth    [success=3 default=ignore]      pam_unix.so nullok_secure try_first_pass
                auth    requisite                       pam_succeed_if.so uid >= 500 quiet
                auth    [success=1 default=ignore]      pam_sss.so use_first_pass
                auth    requisite                       pam_deny.so
                auth    required                        pam_permit.so

pam_account=    account required                                        pam_unix.so
                account sufficient                                      pam_localuser.so
                account sufficient                                      pam_succeed_if.so uid < 500 quiet
                account [default=bad success=ok user_unknown=ignore]    pam_sss.so
                account required                                        pam_permit.so

pam_password=   password        sufficient      pam_unix.so obscure sha512
                password        sufficient      pam_sss.so use_authtok
                password        required        pam_deny.so

pam_session=    session required                        pam_mkhomedir.so skel=/etc/skel/ umask=0077
                session optional                        pam_keyinit.so revoke
                session required                        pam_limits.so
                session [success=1 default=ignore]      pam_sss.so
                session required                        pam_unix.so
auth-client-config -n -a -p sss

# Start sssd
service sssd start

The commands getent passwd and getent group should now also display all users and groups of the UCS 3 domain.


To allow the users the login the home directory should be created by the login.

cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

DEBIAN_FRONTEND=noninteractive pam-auth-update

The users should be added to some groups during the login, for example:

echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev,adm' >>/etc/security/group.conf

cat >>/usr/share/pam-configs/local_groups <<__EOF__
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
        required                        pam_group.so use_first_pass

DEBIAN_FRONTEND=noninteractive pam-auth-update

By default Ubuntu (12.04 LTS) shows only local users at the login screen. After adding the following line a user name can be added:

# Add a field for a user name
echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf

# Optional: Disable the user selection at the login screen
echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf

With these settings the login for domain members should be possible.

Kerberos integration

An UCS 3 domain provides a kerberos domain. The Ubuntu client should use the UCS 3 DNS server, because Kerberos relies heavily on DNS. The following steps show an example configuration

# Set some environment variables
. /etc/univention/ucr_master

# Install required packages
DEBIAN_FRONTEND=noninteractive apt-get install heimdal-clients libpam-heimdal

# Default krb5.conf
cat >/etc/krb5.conf <<__EOF__
    default_realm = $kerberos_realm
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

$kerberos_realm = {
   kdc = $MASTER_IP $ldap_master
   admin_server = $MASTER_IP $ldap_master

# Stop and disable the avahi daemon
service avahi-daemon stop
sed -i 's|start on (|start on (never and |' /etc/init/avahi-daemon.conf

# Synchronize the time with the UCS system
ntpdate $ldap_master

# Test Kerberos
kinit Administrator

# This login shouldn't ask for a password
ssh Administrator@$ldap_master ls /etc/univention

# Destroy the kerberos ticket

Authentication caching

Cached credentials are helpful, if no UCS domain controller can be reached. It can be activated by executing the following steps:

# Install packages
DEBIAN_FRONTEND=noninteractive apt-get install nss-updatedb libnss-db libpam-ccreds 

# Dump the LDAP data
nss_updatedb ldap

# Call it every day
cat >/etc/cron.daily/upd-local-nss-db <<__EOF__
`which nss_updatedb` ldap
chmod +x /etc/cron.daily/upd-local-nss-db

# Added NOTFOUND case for ldap in nsswitch.conf
sed -i 's|^passwd: .*|passwd: files ldap [NOTFOUND=return] db|; \
        s|^group: .*|group: files ldap [NOTFOUND=return] db|' /etc/nsswitch.conf

# Skip pam_ldap if user_unknown or authinfo_unavail as well
sed -i 's/^\(account.*\[success=\)\(.\)\(.*pam_ldap.so\)/\1\2 user_unknown=\2 authinfo_unavail=\2 \3/' \


Personal tools